Malicious Hypervisor Threat - Phase Two: How to Catch the Hypervisor

Presented at DeepSec 2016 „Ten“, Unknown date/time (Unknown duration)

In our 2014 presentation we proved that the threat of Malicious Hypervisor (MH) is a technical reality. The question is not whether it can be implemented -  In our opinion it has been implemented and in use since 2007 - 2008 and, in all likelihood, another instance has been developed around 2009 - 2010- The question is when it will become available for real cyber terrorism attacks. We have not seen such an attack yet. More likely MH has been used to collect important information in silence very effectively. However, we cannot control the underground exploitation of software development and an MH attack may happen any time. As we stressed in our 2014 presentation, there is no effective method to discover MH. So, since we said A, by doing our first MH research, we considered it as our obligation to say B, dedicating the next phase of our research to the development of methods and tools to catch the MH. Our presentation will basically cover our research and the development process, outlining some important ideas and findings and providing results proving that our methods and software work and can reliably be used to discover MH. However, we do not consider it as productive to simply provide the exact information about the research and the development. We want to avoid "copy-cat" processes and would like to encourage security researchers and organizations to conduct independent research and development work using our "milestones". From our point of view, we achieved our goal - we have the methods and we have a tool utilizing these methods. We have both a demo and production version of the Hypervisor Catcher tool which can discover MH in a computer system with 99.99% reliability and within a very reasonable time frame. We do not think that we will be able to prevent MH attacks if they happen in the near future. However, at least we are now able to identify the silent deployment of such an devastating attacking tool. During the presentation I will briefly introduce the audience to the most important information and conclusions of the research of our Phase 1 (as discussed at DeepSec 2014). We will also discuss our analysis of methods used in the traditional research concerning the "rootkit hypervisor" to catch hypervisor activity. Then we will move on to our proposed methods and results. We will also give the audience some statistical information proving our case. However, during our one and a half year long research we gathered a lot of testing information which we simply cannot discuss within our presentation without killing any interest in our findings. We will try to balance all what we mentioned here to keep the audience happy and interested in the discussion.

Presenters:

  • Mikhail A. Utin - Rubos, Inc.
    Mikhail A. Utin completed his basic engineering education in 1975 in Computer Science and Electrical Engineering. His career in Russia included working for several research and engineering organizations. Doctorate / PhD in Computer Science (1988) from the then called Academy of Science of the USSR. In 1988 he founded and until 1990 leaded an information technology company and successfully worked in the emerging private sector of Russia. Mikhail held several USSR patents and published numerous articles. He migrated to the US with his family in 1990 to escape from political turmoil, hoping to continue his professional career. In the US he worked for numerous companies and organizations in information technology and information security fields including contract work for the US government DoN and DoT. Together with colleagues Mikhail formed the private company Rubos, Inc. for IT security consulting and research in 1998 and worked as a (ISC)2 certified professional for 9 years. He published articles on the Internet and in professional journals, and is a reviewer of articles submitted to the (ISC)2 Information Security Journal: A Global Perspective. His current research focuses on information security governance, regulations and management, and the relationship between regulations, technology, business activities and businesses' security status. Most of his research is pioneering work and an exploration of complex security problems outside of information securitys mainstream or on problems considered impossible to resolve.

Links:

Similar Presentations: